Microsoft deflects charges of worm woes

Microsoft refuted claims Wednesday that the main Web site for its FrontPage software had been infected by the Nimda virus, despite the antivirus software alarms set off by viewing the site.

On Wednesday, several security experts believed that the software giant--which has often put the responsibility on customers to patch software holes--had apparently failed to patch at least one major server.

However, Christopher Budd, security program manager for Microsoft's security response center, said that wasn't the case.

"No one is being infected," he said. "There is no code to infect people."

According to Budd, a third-party content provider that apparently created the elements for the FrontPage site had been infected by Nimda. The worm caused all the HTML files created by the third-party provider to include the script that attempts to upload the worm--masquerading as a file called "readme.eml"--to the browser's PC.

However, even PCs with no antivirus protection wouldn't have been harmed, because there was no file to upload.

"It's an impotent reference," Budd said. "For a PC to be infected by a server, we have to have the script and the payload, but there was no payload on the page."

When the third-party provider copied the HTML file to Microsoft's servers, the actual virus was left behind, protecting the software giant. While Budd insisted the server had not been infected, he would not make the same claim for all of Microsoft's systems.

As of Wednesday at 3:30 p.m. PDT, Microsoft's Web site seemed to have been fixed.

The close call with the Nimda worm had security experts criticizing the software giant for not protecting customers against the virus.

"They have talked about being the repository of users' information," said Greg Shipley, director of consulting for network-protection company Neohapsis, "but they have trouble keeping their own stuff secure."

Microsoft hosts all the security updates and patches for its products on its site, making it a key destination for Windows users when a worm such as Nimda hits the Internet.

Nimda--which is "admin," the shortened form of "system administrator," spelled backwards--started spreading early Tuesday morning and quickly infected PCs and servers across the Internet. Also known as Readme.exe and W32.Nimda, the worm is the first to use four different methods to infect not only PCs running Windows 95, 98, Me and 2000, but also servers running Windows 2000.

The worm spreads by sending e-mail messages with an infected attachment, scanning for and infecting vulnerable Web servers running Microsoft's Internet Information Server software, copying itself to shared disk drives on networks, and appending JavaScript to Web pages that will download the worm to a surfer's PC when they view the page.

It's the latest mode of distribution that many thought had affected Microsoft. Visitors to the software giant's FrontPage site apparently became the target of the Nimda worm when the site attempted to upload the code to their computers. Luckily for them, the code was not there.

That should be a small comfort to customers, said Neohapsis' Shipley.

"Not only do they have an application-development history of having massive security flaws," he said, "they have an operations history of having flaws."

In August, Microsoft admitted that its Hotmail e-mail service had been infected by Code Red.

Microsoft isn't alone, however. This time around, several Web servers really were infected with the worm.

In one case, the marketing site for fast-food chain Carl's Jr. was infected by the worm. Several CNET News.com readers noticed the compromised server when the site attempted to upload the Nimda worm to their PCs.

"That server is hosted elsewhere," said Daniel Baker, director of IT security for parent company CK Restaurants. "They are aware of the problem and will have it resolved soon." Baker added that the worm had not infected the company's own network.

Another site, Wininternals.com, is also infected. Readers should not attempt to view the site without adequate antivirus protection and without first setting their browser security to "high."

David Dittrich, senior security engineer for the University of Washington and a computer forensics expert, believes software makers such as Microsoft will need to be proactive about future security holes and treat them like product defects.

"Somehow, as the number of patches coming out is going up exponentially, the word has to get out to a larger number of people to apply the patches," Dittrich said. Rather than post an advisory on a hard-to-find Web site, software companies should contact customers to tell them to update their software immediately, he said.